Author: BlockSec
Introduction
As DeFi continues to reshape the financial landscape, security remains a major challenge for the DeFi ecosystem, with security issues causing billions of dollars in asset losses every year.
According to Chainalysis data, DeFi hacks in 2023 resulted in over $1.1 billion in asset losses. Although this number decreased compared to 2022, new DeFi attack trends emerged in 2023. For example, well-known protocols with a long history of security, such as Curve and KyberSwap, were also targeted. Additionally, complex attacks targeting infrastructure vulnerabilities (such as Flashbots Relay) also emerged.
The Security Incident Dashboard data shows that in the first half of 2024, there were over 50 hacker attacks causing losses of over $100,000 each.
Recent hacker attacks
(Source: Security Incident Dashboard)
https://app.blocksec.com/explorer/security-incidents
Security is crucial for the development of DeFi protocols. Some protocols manage billions of dollars in user assets, and security incidents can result in significant losses for users. While in some cases, stolen funds can be (partially) recovered (such as the Euler attack incident), we cannot rely solely on this hope. Each attack weakens user confidence in DeFi.
Despite the industry proposing many measures to enhance security, there is still significant room for improvement in DeFi security. From a positive perspective, code audits have become a community consensus, with most protocols undergoing audits before going live, which helps reduce the risk of attacks caused by smart contract vulnerabilities. However, relying solely on code audits is far from sufficient to address all security issues. Code audits cannot prevent attacks caused by contract upgrades, configuration changes, and vulnerabilities introduced by external dependencies. Given these limitations, some protocols have begun to adopt more proactive solutions, such as operational monitoring and attack detection systems.
In this article, we will provide an overview of the security measures that can be taken by protocols from the pre-launch, post-launch, to attack response stages to understand the panorama of DeFi security. We will detail each type of security measure and its main vendors/products, as well as their advantages and disadvantages. We hope this article will help the community better understand the current state of DeFi security and inspire innovative security solutions.
DeFi Security Panorama
Security measures for DeFi protocols should span the entire lifecycle from pre-launch to post-launch, ensuring the security of the protocol itself and during operation. Additionally, deploying preventive measures and response plans for potential attacks in advance is equally important. To help readers understand the current DeFi security solutions, we categorize relevant vendors (products) into the following types.
Pre-Launch Security
Security measures that can be taken before the protocol goes live, including code audits, formal verification, and security testing.
Code Audit Services & Competitions
Code auditing is a widely recognized practice to ensure the security of protocols. During this process, security companies conduct semi-automated reviews of frozen code, automatically scanning for common vulnerabilities and manually reviewing complex vulnerabilities. Representative auditing companies include OpenZeppelin, ChainSecurity, and BlockSec.
In addition, there are auditing competition platforms. Unlike auditing companies that directly provide auditing services, these platforms publicly release auditing requirements to attract security researchers in the community to participate in auditing competitions and distribute rewards to participants who discover protocol vulnerabilities. Auditing competition platforms include Code4rena, SHERLOCK, Cantina, and Secure3, each with some differences in vulnerability severity, reward distribution, and participation standards.
Code auditing is the first line of defense for protocol security. However, it also has some limitations, which is why many protocols audited by well-known companies still fail to avoid hacker attacks.
First, static code auditing cannot address security issues caused by protocol dependencies, and the composability of DeFi protocols exacerbates this issue.
Second, during the code auditing process, some issues may not receive sufficient attention. For example, precision loss is a common issue that may be overlooked by auditors and protocol teams. It was not until the Hundred Finance and Channels Finance incidents that the community fully recognized the security impact of precision loss.
Finally, high-quality code auditing is still a scarce resource, requiring interdisciplinary talents with knowledge of security, finance, and computer science, and few universities are currently able to provide such talents on a sustained and large scale. Therefore, some protocols, despite undergoing audits, lack the professional expertise of auditors providing auditing services.
Formal Verification
"Formal verification uses mathematical methods to prove the correctness or incorrectness of a system based on a formal specification or property." Formal verification can ensure that the behavior of DeFi protocols complies with formal specifications. For example, Prover developed by Certora can be used for formal verification of DeFi protocols. Developers provide rules (specifications), and Prover explores every possible program state, compares the results with the rules, and identifies vulnerabilities.
The biggest advantage of formal verification is that it can manage the correctness of DeFi protocols managing billions of dollars in assets through mathematical proofs. However, some limitations in practical application hinder its widespread adoption.
First, the specification needs to be provided by the developer, requiring detailed documentation of the expected behavior of the protocol, which most developers are not experts in this field.
Second, frequent protocol upgrades may require updating the specifications and re-evaluating the protocol, which some protocols may not be able to afford in terms of time and effort.
Despite these limitations, we still believe that protocols should undergo formal verification, especially new protocols that have not been time-tested and manage a large amount of user assets. However, how to enhance the operability of formal verification and increase its adoption rate remains a huge challenge.
Security Testing
Security testing discovers potential issues in the protocol through test cases. Compared to formal verification, which proves the correctness of the protocol through mathematical methods, security testing generally uses specific input data (rather than symbolic input in formal verification), making it more efficient but slightly less comprehensive.
Foundry is a popular smart contract development testing framework. Developers can perform tests in Foundry, and it can also conduct differential testing, invariance testing, and differential testing for DeFi protocols. Other security testing tools include Tenderly and Hardhat.
Post-Launch Security
Security measures that can be taken after the protocol goes live, including Bug Bounty, attack detection, and operational monitoring.
Bug Bounty
Bug Bounty establishes a bridge between protocols and security researchers. Protocols release bounty programs on Bug Bounty platforms, detailing the scope and rewards, and security researchers report zero-day vulnerabilities in the protocol to receive rewards. Immunefi is a representative Web3 Bug Bounty platform.
Attack Detection
Attack detection platforms identify malicious transactions by scanning transactions. Specifically, these platforms scan every transaction interacting with the protocol to look for malicious behavior and trigger alerts upon identifying malicious transactions.
For example, BlockSec Phalcon scans every transaction in the mempool and on-chain transactions to identify malicious behavior (such as malicious contracts and proposals). It acts as a security guard, tirelessly monitoring every detail of each transaction to find unusual patterns. It extracts behavioral patterns from these transactions and uses financial models (similar to those used by banks to detect fraud) to identify potential attacks. Similar systems include products provided by Hypernative and Hexagate. Additionally, Ironblocks' Venn Security Network provides a decentralized infrastructure to aggregate detection results from multiple sources.
Operational Monitoring
As the name suggests, operational monitoring frameworks monitor the operational security of protocols after they go live. For example, they keep track of changes in administrator keys, smart contract deployments and updates, and automatically detect security vulnerabilities in pull requests. The OpenZeppelin Defender platform helps developers securely write, deploy, and run smart contracts. BlockSec Phalcon monitors contract upgrades, Safe wallet transactions (such as initiation, new signatures, execution), access control, and governance-related risks. Additionally, through the real-time monitoring system Forta Network, users can create bots to monitor protocols or subscribe to existing bots to receive alerts for phishing and other security threats.
Attack Response
Security measures automatically triggered or urgently taken after an attack occurs, including attack blocking, automatic response, War Room, attack cause analysis, and attacker fund tracking.
Among these response measures, attack blocking is particularly noteworthy because it allows projects to deploy preventive measures in advance, blocking attacks before they occur, thereby minimizing losses. Automatic response platforms also help reduce losses caused by attacks.
Establishing a War Room, conducting attack cause analysis, and fund tracking are response measures taken after an attack occurs, which help reduce losses and prevent similar attacks in the future. However, they may have already caused significant losses that are difficult to recover. Additionally, damage to the project's reputation and loss of user trust may have far-reaching negative impacts. While risks seem omnipresent and difficult to defend against, project teams are not limited to passive responses and can deploy preventive measures in advance, which is the recommended approach.
Attack Blocking
Attack detection is an important channel for detecting hacker attacks, but detection alone is not enough to combat hacker attacks. Without automated attack blocking capabilities, manual response measures are often too slow. For example, in the KyberSwap, Gamma Strategies, and Telcoin attack incidents, these protocols took response measures several minutes or even hours after the attack, during which time the hacker initiated multiple attack transactions and stole substantial assets. The July Velocore and Rho attack incidents led to the suspension of Linea and Scroll on the entire chain, raising concerns about the centralization issues in L2 chains.
Attack blocking can automatically prevent hacker attacks, relying on two core technologies: early detection and automatic front-running. Early detection refers to the ability to identify attack transactions before they are included in the chain, while they are still in the mempool stage. Automatic front-running involves prioritizing the submission of a front-running transaction to pause the protocol before the attack transaction is executed, thereby preventing the loss before the attack actually occurs.
In this category, BlockSec Phalcon is the only product with these core technologies. After hackers initiate attack transactions, Phalcon's attack monitoring engine can detect these transactions in advance, alert users to the attack, and automatically front-run to pause the protocol, minimizing the loss to zero. The product's attack blocking capability has been verified in over 20 white-hat rescues, saving over $20 million in assets.
Automatic Response
In addition to attack blocking platforms, Phalcon, Hexagate, and Hypernative platforms can also automatically respond to attacks when they occur.
After subscribing to these platforms, users can set up monitoring and response measures for various protocol risks. If a transaction triggers the monitoring rules, the system will automatically initiate the response measures set by the user (such as pausing the protocol), thereby reducing losses. However, some platforms do not have attack detection engines, and the system cannot directly identify and alert users to attack transactions. Instead, users need to define the conditions under which a transaction can be considered an attack. Since the characteristics of attack transactions are very complex, and users (often contract developers) may not have sufficient security knowledge, this can be challenging for users.
War Room
Establishing a War Room is crucial when a protocol faces an attack. This helps the protocol stay informed, synchronize information with the community in a timely manner, and effectively integrate resources to take response measures, requiring close cooperation among experts from multiple fields.
SEAL 911 aims to "help users, developers, and security researchers directly contact trusted security experts in emergency situations." Users can access this service through the SEAL 911 Telegram Bot (https://t.me/seal911bot) to quickly set up a War Room to address security challenges when the project is under attack.
Attack Cause Analysis
When a protocol is under attack, it is crucial to identify the root cause of the problem, such as vulnerabilities within smart contracts and how the vulnerabilities were exploited. Analyzing attack transactions requires the use of tools, and Phalcon Explorer, OpenChain, and Tenderly are good choices.
Attacker Fund Tracking
Fund tracking involves tracking the initial funds of the attacker and the profits from the attack on the chain to locate related addresses and entities. If these assets flow to centralized entities (such as centralized exchanges and other institutional-level entities), law enforcement agencies can be contacted to help freeze the funds.
Chainalysis, TRM Labs, ARKHAM, ELLIPTIC, and MetaSleuth are representative companies/products in this field. For example, MetaSleuth can automatically track cross-chain fund flows and provide rich address labels. ARKHAM has established a community where protocol teams can post investigation bounties to incentivize community members to assist in tracking the flow of attacker funds.
Security Education Resources
Knowledge is the best defense. In addition to the security vendors and products mentioned earlier, there is another type of role that is crucial for DeFi security: educational platforms. These platforms provide resources and information to help DeFi practitioners and users gain a deeper understanding of security knowledge, raise security awareness, and develop security skills, playing an important role in promoting the security development of DeFi. We pay tribute to these platforms and share the following noteworthy platforms.
SΞCURΞUM: A Discord community focused on Ethereum security, and regularly hosts the smart contract security competition "Secureum RACE".
Security Incidents Dashboard: This platform aggregates and provides real-time updates on attacks with losses exceeding $100,000, including detailed information such as loss amount, affected chains, vulnerability types, attack cause analysis, and PoC.
Rekt: Dubbed as the dark web of DeFi news, it provides in-depth analysis of DeFi exploit, hacker attacks, and fraudulent activities.
RugDoc: A DeFi security and education community. The platform provides project risk assessment information and also has a platform called RugDocWiKi that introduces the DeFi ecosystem and technology.
DeFiHackLabs: A Web3 security community dedicated to helping Web2 security professionals enter the Web3 field, with over 2,000 members globally and nearly 200 white-hat hackers. DeFiHackLabs' repository provides rich learning resources.
Solodit: This platform compiles audit reports from past Web3 audit companies.
Ethernaut: A game based on Web3/Solidity, where players need to identify vulnerabilities in Ethereum contracts, similar to a CTF.
Conclusion
Security issues cause billions of dollars in losses every year and are a serious threat that the DeFi ecosystem faces in the long term. Currently, most security measures focus on security issues before project launch. However, there is no "silver bullet" in the security field. At different stages of protocol development, corresponding measures should be taken to ensure its security throughout the protocol's lifecycle.
We hope the industry can recognize the importance of post-launch security and take measures to monitor protocol risks and automatically block attacks.
We also hope that the DeFi ecosystem can form a consensus on prioritizing security, in order to better protect users' asset security.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
